[PR #6846] [MERGED] bugfix: firemon: avoid cmd double-free in procevent_monitor #6194

New issue

Closed

opened 2026-05-05 10:52:28 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:52:28 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/6846
Author: @grey3228
Created: 7/31/2025
Status: ✅ Merged
Merged: 8/18/2025
Merged by: @netblue30

Base: master ← Head: fix/procevent_monitor_cmd_double_free

📝 Commits (1)

5ec00f7 fix: avoid cmd double-free in procevent_monitor

📊 Changes

1 file changed (+3 additions, -1 deletions)

View changed files

📝 src/firemon/procevent.c (+3 -1)

📄 Description

There is a possible execution path in procevent_monitor function, where allocated memory for cmd may be deallocated twice:

char *cmd = pids[pid].option.event.cmd;
if (!cmd) {
	cmd = pid_proc_cmdline(pid);
}
if (add_new) {
    ...
}
else if (proc_ev->what == PROC_EVENT_EXIT && pids[pid].level == 1) {
    ...				
}
else {
	if (!cmd) {
		cmd = pid_proc_cmdline(pid);
	}
	if (cmd == NULL || nodisplay)
		sprintf(lineptr, "\n");
	else {
		sprintf(lineptr, " %s\n", cmd);
		free(cmd);  // <-- First deallocation
	}
	lineptr += strlen(lineptr);
}
	...
// unflag pid for exit events
if (remove_pid) {
	if (pids[pid].option.event.user)
		free(pids[pid].option.event.user);
	if (pids[pid].option.event.cmd)
		free(pids[pid].option.event.cmd);  // <-- Second deallocation
	memset(&pids[pid], 0, sizeof(Process));
}

The double-free could occur if:

pids[pid].option.event.cmd != NULL (i.e., a command was previously cached);
remove_pid != 0 (i.e., the process is exiting);
Control flow passes through both code blocks (e.g., for a non-Firejail process exit event).

In PR we add check before deallocating memory.

Fixes: #6792

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/6846 **Author:** [@grey3228](https://github.com/grey3228) **Created:** 7/31/2025 **Status:** ✅ Merged **Merged:** 8/18/2025 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `fix/procevent_monitor_cmd_double_free` --- ### 📝 Commits (1) - [`5ec00f7`](https://github.com/netblue30/firejail/commit/5ec00f70c8e6db5fc242bc2f3b574a3e4eb2ed52) fix: avoid cmd double-free in procevent_monitor ### 📊 Changes **1 file changed** (+3 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/firemon/procevent.c` (+3 -1) </details> ### 📄 Description There is a possible execution path in procevent_monitor function, where allocated memory for cmd may be deallocated twice: ``` char *cmd = pids[pid].option.event.cmd; if (!cmd) { cmd = pid_proc_cmdline(pid); } if (add_new) { ... } else if (proc_ev->what == PROC_EVENT_EXIT && pids[pid].level == 1) { ... } else { if (!cmd) { cmd = pid_proc_cmdline(pid); } if (cmd == NULL || nodisplay) sprintf(lineptr, "\n"); else { sprintf(lineptr, " %s\n", cmd); free(cmd); // <-- First deallocation } lineptr += strlen(lineptr); } ... // unflag pid for exit events if (remove_pid) { if (pids[pid].option.event.user) free(pids[pid].option.event.user); if (pids[pid].option.event.cmd) free(pids[pid].option.event.cmd); // <-- Second deallocation memset(&pids[pid], 0, sizeof(Process)); } ``` The double-free could occur if: * pids[pid].option.event.cmd != NULL (i.e., a command was previously cached); * remove_pid != 0 (i.e., the process is exiting); * Control flow passes through both code blocks (e.g., for a non-Firejail process exit event). In PR we add check before deallocating memory. Fixes: #6792 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:52:28 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6194

No description provided.

Rows
Columns